summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog3
-rw-r--r--regress/cert-hostkey.sh64
-rw-r--r--regress/cert-userkey.sh161
3 files changed, 183 insertions, 45 deletions
diff --git a/ChangeLog b/ChangeLog
index 116ce569a..f6c61d89d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -39,6 +39,9 @@
39 [regress/cert-hostkey.sh regress/cert-userkey.sh] 39 [regress/cert-hostkey.sh regress/cert-userkey.sh]
40 add an extra test to ensure that authentication with the wrong 40 add an extra test to ensure that authentication with the wrong
41 certificate fails as it should (and it does) 41 certificate fails as it should (and it does)
42 - djm@cvs.openbsd.org 2010/03/04 10:38:23
43 [regress/cert-hostkey.sh regress/cert-userkey.sh]
44 additional regression tests for revoked keys and TrustedUserCAKeys
42 45
4320100303 4620100303
44 - (djm) [PROTOCOL.certkeys] Add RCS Ident 47 - (djm) [PROTOCOL.certkeys] Add RCS Ident
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 9097a1359..3fda667cb 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
@@ -50,6 +50,68 @@ for privsep in yes no ; do
50 done 50 done
51done 51done
52 52
53# Revoked certificates with key present
54(
55 echon '@cert-authority '
56 echon "$HOSTS "
57 cat $OBJ/host_ca_key.pub
58 echon '@revoked '
59 echon "* "
60 cat $OBJ/cert_host_key_rsa.pub
61 echon '@revoked '
62 echon "* "
63 cat $OBJ/cert_host_key_dsa.pub
64) > $OBJ/known_hosts-cert
65for privsep in yes no ; do
66 for ktype in rsa dsa ; do
67 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
68 (
69 cat $OBJ/sshd_proxy_bak
70 echo HostKey $OBJ/cert_host_key_${ktype}
71 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
72 echo UsePrivilegeSeparation $privsep
73 ) > $OBJ/sshd_proxy
74
75 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
76 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
77 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
78 if [ $? -eq 0 ]; then
79 fail "ssh cert connect succeeded unexpectedly"
80 fi
81 done
82done
83
84# Revoked CA
85(
86 echon '@cert-authority '
87 echon "$HOSTS "
88 cat $OBJ/host_ca_key.pub
89 echon '@revoked '
90 echon "* "
91 cat $OBJ/host_ca_key.pub
92) > $OBJ/known_hosts-cert
93for ktype in rsa dsa ; do
94 verbose "$tid: host ${ktype} revoked cert"
95 (
96 cat $OBJ/sshd_proxy_bak
97 echo HostKey $OBJ/cert_host_key_${ktype}
98 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
99 ) > $OBJ/sshd_proxy
100 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
101 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
102 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
103 if [ $? -eq 0 ]; then
104 fail "ssh cert connect succeeded unexpectedly"
105 fi
106done
107
108# Create a CA key and add it to known hosts
109(
110 echon '@cert-authority '
111 echon "$HOSTS "
112 cat $OBJ/host_ca_key.pub
113) > $OBJ/known_hosts-cert
114
53test_one() { 115test_one() {
54 ident=$1 116 ident=$1
55 result=$2 117 result=$2
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 874915205..7a58e7b75 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.2 2010/03/03 00:47:23 djm Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -6,13 +6,9 @@ tid="certified user keys"
6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8 8
9# Create a CA key and add it to authorized_keys 9# Create a CA key
10${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ 10${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
11 fail "ssh-keygen of user_ca_key failed" 11 fail "ssh-keygen of user_ca_key failed"
12(
13 echon 'cert-authority '
14 cat $OBJ/user_ca_key.pub
15) > $OBJ/authorized_keys_$USER
16 12
17# Generate and sign user keys 13# Generate and sign user keys
18for ktype in rsa dsa ; do 14for ktype in rsa dsa ; do
@@ -26,64 +22,140 @@ for ktype in rsa dsa ; do
26 fail "couldn't sign cert_user_key_${ktype}" 22 fail "couldn't sign cert_user_key_${ktype}"
27done 23done
28 24
29# Basic connect tests 25basic_tests() {
30for privsep in yes no ; do 26 auth=$1
27 if test "x$auth" = "xauthorized_keys" ; then
28 # Add CA to authorized_keys
29 (
30 echon 'cert-authority '
31 cat $OBJ/user_ca_key.pub
32 ) > $OBJ/authorized_keys_$USER
33 else
34 echo > $OBJ/authorized_keys_$USER
35 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
36 fi
37
31 for ktype in rsa dsa ; do 38 for ktype in rsa dsa ; do
32 verbose "$tid: user ${ktype} cert connect privsep $privsep" 39 for privsep in yes no ; do
40 _prefix="${ktype} privsep $privsep $auth"
41 # Simple connect
42 verbose "$tid: ${_prefix} connect"
43 (
44 cat $OBJ/sshd_proxy_bak
45 echo "UsePrivilegeSeparation $privsep"
46 echo "$extra_sshd"
47 ) > $OBJ/sshd_proxy
48
49 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
50 -F $OBJ/ssh_proxy somehost true
51 if [ $? -ne 0 ]; then
52 fail "ssh cert connect failed"
53 fi
54
55 # Revoked keys
56 verbose "$tid: ${_prefix} revoked key"
57 (
58 cat $OBJ/sshd_proxy_bak
59 echo "UsePrivilegeSeparation $privsep"
60 echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
61 echo "$extra_sshd"
62 ) > $OBJ/sshd_proxy
63 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
64 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
65 if [ $? -eq 0 ]; then
66 fail "ssh cert connect succeeded unexpecedly"
67 fi
68 done
69
70 # Revoked CA
71 verbose "$tid: ${ktype} $auth revoked CA key"
33 ( 72 (
34 cat $OBJ/sshd_proxy_bak 73 cat $OBJ/sshd_proxy_bak
35 echo "UsePrivilegeSeparation $privsep" 74 echo "RevokedKeys $OBJ/user_ca_key.pub"
75 echo "$extra_sshd"
36 ) > $OBJ/sshd_proxy 76 ) > $OBJ/sshd_proxy
37
38 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 77 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
39 somehost true 78 somehost true >/dev/null 2>&1
40 if [ $? -ne 0 ]; then 79 if [ $? -eq 0 ]; then
41 fail "ssh cert connect failed" 80 fail "ssh cert connect succeeded unexpecedly"
42 fi 81 fi
43 done 82 done
44done 83
84 verbose "$tid: $auth CA does not authenticate"
85 (
86 cat $OBJ/sshd_proxy_bak
87 echo "$extra_sshd"
88 ) > $OBJ/sshd_proxy
89 verbose "$tid: ensure CA key does not authenticate user"
90 ${SSH} -2i $OBJ/user_ca_key \
91 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
92 if [ $? -eq 0 ]; then
93 fail "ssh cert connect with CA key succeeded unexpectedly"
94 fi
95}
45 96
46verbose "$tid: ensure CA key does not authenticate user" 97basic_tests authorized_keys
47${SSH} -2i $OBJ/user_ca_key -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 98basic_tests TrustedUserCAKeys
48if [ $? -eq 0 ]; then
49 fail "ssh cert connect with CA key succeeded unexpectedly"
50fi
51 99
52test_one() { 100test_one() {
53 ident=$1 101 ident=$1
54 result=$2 102 result=$2
55 sign_opts=$3 103 sign_opts=$3
56 104 auth_choice=$4
57 verbose "$tid: test user cert connect $ident expect $result" 105
106 if test "x$auth_choice" = "x" ; then
107 auth_choice="authorized_keys TrustedUserCAKeys"
108 fi
58 109
59 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 110 for auth in $auth_choice ; do
60 $sign_opts \ 111 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
61 $OBJ/cert_user_key_rsa || 112 if test "x$auth" = "xauthorized_keys" ; then
62 fail "couldn't sign cert_user_key_rsa" 113 # Add CA to authorized_keys
114 (
115 echon 'cert-authority '
116 cat $OBJ/user_ca_key.pub
117 ) > $OBJ/authorized_keys_$USER
118 else
119 echo > $OBJ/authorized_keys_$USER
120 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \
121 $OBJ/sshd_proxy
63 122
64 ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
65 somehost true >/dev/null 2>&1
66 rc=$?
67 if [ "x$result" = "xsuccess" ] ; then
68 if [ $rc -ne 0 ]; then
69 fail "ssh cert connect $ident failed unexpectedly"
70 fi 123 fi
71 else 124
72 if [ $rc -eq 0 ]; then 125 verbose "$tid: $ident auth $auth expect $result"
73 fail "ssh cert connect $ident succeeded unexpectedly" 126 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
127 -I "regress user key for $USER" \
128 $sign_opts \
129 $OBJ/cert_user_key_rsa ||
130 fail "couldn't sign cert_user_key_rsa"
131
132 ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
133 somehost true >/dev/null 2>&1
134 rc=$?
135 if [ "x$result" = "xsuccess" ] ; then
136 if [ $rc -ne 0 ]; then
137 fail "$ident failed unexpectedly"
138 fi
139 else
140 if [ $rc -eq 0 ]; then
141 fail "$ident succeeded unexpectedly"
142 fi
74 fi 143 fi
75 fi 144 done
76 cleanup
77} 145}
78 146
79test_one "host-certificate" failure "-h" 147test_one "correct principal" success "-n ${USER}"
80test_one "empty principals" success "" 148test_one "host-certificate" failure "-n ${USER} -h"
81test_one "wrong principals" failure "-n foo" 149test_one "wrong principals" failure "-n foo"
82test_one "cert not yet valid" failure "-V20200101:20300101" 150test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
83test_one "cert expired" failure "-V19800101:19900101" 151test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
84test_one "cert valid interval" success "-V-1w:+2w" 152test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
85test_one "wrong source-address" failure "-Osource-address=10.0.0.0/8" 153test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
86test_one "force-command" failure "-Oforce-command=false" 154test_one "force-command" failure "-n ${USER} -Oforce-command=false"
155
156# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
157test_one "empty principals" success "" authorized_keys
158test_one "empty principals" failure "" TrustedUserCAKeys
87 159
88# Wrong certificate 160# Wrong certificate
89for ktype in rsa dsa ; do 161for ktype in rsa dsa ; do
@@ -101,3 +173,4 @@ for ktype in rsa dsa ; do
101done 173done
102 174
103rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 175rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
176